-
Notifications
You must be signed in to change notification settings - Fork 97
184 lines (175 loc) · 6.56 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
name: Release
run-name: ${{ inputs.crate }}@${{ inputs.version }} (DryRun:${{ inputs.dry_run }})
on:
workflow_dispatch:
inputs:
dry_run:
description: "Run the release without actually releasing bits"
type: boolean
default: true
crate:
description: "The crate to release"
required: true
type: choice
options:
- containerd-shim-wasm-test-modules
- oci-tar-builder
- containerd-shim-wasm
# shims
- containerd-shim-wasmer
- containerd-shim-wasmedge
- containerd-shim-wasmtime
- containerd-shim-wamr
version:
description: "The version of the crate to release. (e.g., 1.2.3)"
type: string
required: true
concurrency:
group: release-${{ github.workflow }}-${{ inputs.crate }}-${{ inputs.version }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
jobs:
pre-release:
name: pre-release checks
runs-on: "ubuntu-latest"
outputs:
crate: ${{ inputs.crate }}
runtime: ${{ steps.runtime_sub.outputs.runtime }}
version: ${{ inputs.version }}
### is_shim is a string, not a boolean, so use: is_shim == 'true'
is_shim: ${{ steps.runtime_sub.outputs.is_shim }}
steps:
- name: Fail if branch is not main
if: github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main'
run: |
echo "::error::This workflow should not be triggered with workflow_dispatch on a branch other than main"
exit 1
- uses: actions/checkout@v4
### Determine the name of the runtime and if it is a binary release or crates.io
- name: verify version input
uses: actions/github-script@v7
with:
script: |
const version = '${{ inputs.version }}';
if(!version.match(/^[0-9]+.[0-9]+.*/)) {
core.setFailed(`The version '${version}' does not match regex /^[0-9]+.[0-9]+.*/.`);
}
- name: substring runtime
id: runtime_sub
uses: actions/github-script@v7
with:
script: |
const crate = '${{ inputs.crate }}';
const runtime = crate.replace(/^containerd-shim-/, '');
const non_shim_crates = ['wasm', 'wasm-test-modules', 'oci-tar-builder'];
if (non_shim_crates.includes(runtime)) {
core.setOutput('runtime', 'common');
core.setOutput('is_shim', false)
} else {
core.setOutput('runtime', runtime);
core.setOutput('is_shim', true);
}
### If we are releasing a crate rather than producing a bin, check for crates.io access
- name: Add crates.io ownership
if: ${{ steps.runtime_sub.outputs.is_shim != 'true' && github.repository == 'containerd/runwasi' }}
run: |
cargo owner --list ${{ inputs.crate }} | grep github:containerd:runwasi-committers || \
cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }}
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
- name: Verify version matches
run: |
if [ "$(grep -c "version = \"${{ inputs.version }}\"" crates/${{ inputs.crate }}/Cargo.toml)" -ne 1 ]; then
echo "::error::Version in Cargo.toml does not match the version input"
exit 1
fi
build-and-sign:
permissions:
id-token: write
needs:
- pre-release
strategy:
matrix:
arch: ["x86_64", "aarch64"]
include:
- ${{ needs.pre-release.outputs }}
uses: ./.github/workflows/action-build.yml
with:
os: "ubuntu-22.04"
runtime: ${{ matrix.runtime }}
target: "${{ matrix.arch }}-unknown-linux-musl"
slug: "${{ matrix.arch }}-linux-musl"
arch: ${{ matrix.arch }}
sign: true
release:
permissions:
contents: write
needs:
- pre-release
- build-and-sign
strategy:
matrix:
os: ["ubuntu-latest"]
include:
- ${{ needs.pre-release.outputs }}
runs-on: ${{ matrix.os }}
steps:
- name: Matrix description
run: |
echo "::notice::Running job with dry_run: '${{ inputs.dry_run }}', crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'."
- uses: actions/checkout@v4
- name: Setup build env
run: ./scripts/setup-linux.sh
- name: Download artifacts
if: ${{ matrix.is_shim == 'true' }}
uses: actions/download-artifact@master
with:
path: release
- name: Cargo publish
if: ${{ matrix.is_shim != 'true' && github.repository == 'containerd/runwasi' }}
run: cargo publish ${{ inputs.dry_run && '--dry-run' || '' }} --package ${{ matrix.crate }} --verbose --locked
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
- name: Tag the the release
if: ${{ !inputs.dry_run }}
run: |
git tag "${{matrix.crate}}/v${{matrix.version}}"
git push origin "${{matrix.crate}}/v${{matrix.version}}"
- name: Extract release notes
if: ${{ matrix.crate == 'containerd-shim-wasm' && !inputs.dry_run }}
run: |
cd $GITHUB_WORKSPACE
./scripts/extract-changelog.sh v${{matrix.version}} > RELEASE_NOTES.md
cat RELEASE_NOTES.md
- name: Create release
if: ${{ !inputs.dry_run }}
run: |
TAG_NAME=${{matrix.version}}
if [[ "$TAG_NAME" =~ .+-pre.* ]]; then
PRERELEASE_ARGS="--prerelease --latest=false"
else
PRERELEASE_ARGS=""
fi
NOTES_ARG=""
if [[ -f RELEASE_NOTES.md ]]; then
NOTES_ARG="--notes-file RELEASE_NOTES.md"
fi
gh release create "refs/tags/${{matrix.crate}}/v${{matrix.version}}" \
--title "${{matrix.crate}}/v${{matrix.version}}" \
$NOTES_ARG \
--verify-tag \
$PRERELEASE_ARGS
env:
GH_TOKEN: ${{ github.token }}
RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }}
- name: Upload release artifacts
if: ${{ matrix.is_shim == 'true' && !inputs.dry_run }}
run: |
for i in release/*/*; do
gh release upload ${RELEASE_NAME} $i
done
env:
GH_TOKEN: ${{ github.token }}
RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }}